1) User will need to bypass only 3 simple steps instead of 6 complicated.2) In fact we trust that user was authenticated to email using secure password, so it not required to make more validations.3) Exchange password is never used and not entered, it means it can't be stolen.4) There is no chance to make fake exchange page and steal API keys.5) API keys was not copied to client clipboard, wasn't entered on keyboard, and can't be stolen or captured.6) Exchange is not required to change existing API server.

Cons

1) Exchange should start additional API server.

More details. How it works?

When user enter exchange email and press create Qt Bitcoin Trader profile than application connecting to API specially designed for Qt Bitcoin Trader and send request to create new temporary API keys, it receive API keys immediately.This api keys stays suspended until email confirmation for 24 hours, than deleted.If user start Qt Bitcoin Trader profile without email confirmation warning will be displayed.If there was more than 1 request per hour from single IP address, than while sending email to exchange, exchange tell app to view captcha.After clicking on email link, exchange website with special page should be open and display time and IP address of client who sent API keys validation request and one more confirmation button.Once email confirmation done, API keys and Qt Bitcoin Trader become works.

Exchange should create one more API server that will hold all temporary API keys and send email validation url.Once email url clicked and verified, API server should send API keys to main server and activate this API keys.